I am not implementing any user specific authentication when fetching data from Firestore as user authentication is being done using SSO. Our ReactJs application is using Firebase Web SDK config to fetch data from Firestore however earlier Firebase SDK used to ignore Firestore security rule but after Firebase V9 SDK it consider Firestore rule as well.
My Question is as follow.
-
By setting
allow read, write if true;will this rule make our database public and anyone who even doesn’t have my Firebase Web SDK Config credentials will be able to access my database? -
If answer to above question is yes then how I could secure my Firestore database without using Firebase authentication like phone, eamil/password, anonymous i.e. I mean without making any changes in ReactJs application?
Please help me understand Firestore security rule.
>Solution :
By setting
allow read, write if true;will this rule make our database
public and anyone who even doesn’t have my Firebase Web SDK Config
credentials will be able to access my database?
Your database is public with such a rule but one needs to have your Firebase Project configuration data (Project apiKey). However note that it is not difficult to reverse engineer your front-end code to get this apiKey.
So the answer is Yes.
If answer to above question is yes then how I could secure my
Firestore database without using Firebase authentication like phone,
eamil/password, anonymous i.e. I mean without making any changes in
ReactJs application?
There isn’t any alternative way than using authentication and security rules to protect your database from being read via the Firebase V9 SDK.
You could mimic a 3 tiers architecture approach by using Cloud Functions to interact with Firestore from your front-end (as explained in this article) and implement some bespoke secure logic into the Cloud Functions (but using Cloud Functions for reading/writing from/to Firestore has quite some drawbacks and you would need to change your ReactJS app).